Page 1 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

AppT:No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No. : EL 897 525 677 US 



1 



12 



Web 
Browser 



L 



14 



Web 
Browser 




24 



Resource 



Web 
Server 



8 



T 



20 



"to 
O 

0 



28 





i » 




■ w 


Web 


1 CO 
1 Q_ 


Server 


/ Web 





•38 



DMV 
with two firewalls 



L 



22 



resource 



1 



34 



Access 
Server 



Directory 
Server 



36 



Identity 
Server 



UM 



GM 



OM 



Pub 



A. 



40 



42 
44 
46 
■48 



FIG. 1 



Page 2 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Output 
Devices 



58 



Memory 



Processor 





Input 




Devices 



Mass 




Storage 





Peripherals 



60 





Portable 




Storage 



62 





Graphics 
Subsystem 




Output 
Display 







T 



64 



r 



66 



68 



FIG. 2 



Page 3 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, et al. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 89 7 525 677 US 



Application 



Application Layer 



Data Access Layer 



-150 



FIG. 3 



base DB 



-152 



122 



Connection 
Manager v 



Data 
Store 



140 



36a 




Connection 
Manager v 



Data 
Store 



142 



36b 



Connection 
Manager x 



128 



Profile 



136 



Agent 



Connection 
Manager 



Data 
Store 



144 



36c 



146 



36d 



Data 
Store 



Page 4 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



170 



app calls baseDB 




172 

' . — ' 


baseDB calls DB Manager 




174 
r ^ — s 


DB Manager consults 
Profiles 




176 

i , — s 


Profiles indicate service 




178 

r . — S 


DB Manager creates Proxy 
for request 




180 
r „ s 


Proxy provided with pointers 
to Agents 




182 


baseDB calls Proxy 



184 



186 



Agents perform DB access 



188 



Agents convert data 



190 



Agents return results to 
Proxy 



192 



Proxy combines results 



194 



results provided to baseDB 



196 



Proxy terminated 



198 



results reported to app 



Proxy calls relevant Agents 



FIG. 4 



Page 5 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 5 






Leqend 


DC 


= Domain Component 


O = 


Organization 


OU 


= Organizational Unit 


CN 


= Common Name 


DN 


= Distinguished Name 



Page 6 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



user requests access to 
Identity System 



^300 



request intercepted by 
WebPass 




^302 



yes 



308 



306 



allow access to Identity 
System 




yes 



310 



no 



312 



add Uid to Uidcookie 



attempt to authenticate 
user 



314 



no 



320 




yes 



316 



deny access to Identity 
System 



create ulDcookie 



FIG. 6 



318 



allow access to Identity 
System 



Page 7 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



360 



FIG. 7 



Uid 



IP Address 



time stamp 



362 
-364 
-366 




Page 8 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 




FIG. 10 



application selector 



46 



search tool 



Organization Manager 




Create Org. Profile 





Requests 



Configure 



Page 9 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



500 




yes 


T 


selection of rights 
(read, write, notify) 




r 


selection of attribute(s) 




r 


specification of domain 




r 


identify users 



^d^e^ 

504 
506 



•508 



510 



Source user's browser sends 
request to access attributes of a 
target directory entry 



r 



530 



Request received by User f 
Manager 



User Manager passes results 
info for allowed attributes to 
browser 



532 



User Manager accesses target 
profile and source profile on 
Directory Server 



r 



534 



User Manager determines f 
access to attributes of target 



536 



r 



538 



Display attributes of target that f 
have been allowed for user 



540 



FIG. 11 



FIG. 12 



Page 10 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



request to delegate 



580 



582 




yes 




selection of rights 




r 


selection of right to 
further delegate 






selection of attribute(s) 


•< 


r 


specification of domain 






identify delegated 
administrators 



•584 



586 



■588 



590 



592 



FIG. 13 



Title: 

Applicants: 
Appl. No : 
Filing Date: 



Page 11 of 52 
Runtime Modification of Entries in an Identity System 
Delany.etal. Docket: OBLX-01037US0 

Unknown Atty: BurtMagen 

November 30, 2001 Phone: (415)369-9660 



Express Mail No.: EL 897 525 677 US 



Admin request to enable 
a proxy 



If 



640 



provide list of proxies 



r 



642 



allow Admin to search 
and add more names to 
list 



r 



644 



receive selection of 
proxies to add or subtract 



r 



646 



notify proxies 



r 



648 



FIG. 14 



receive request for and 
display list of entities to 
proxy 



r 



660 



receive selection of entity 
to proxy 



r 



enact proxy 



If 



662 



664 



add contents of 

UidCookie to 
originalUidCookie 



f 



666 



add ID of proxy to 
UidCookie 



r 



668 



operate as proxy in 
Identity System, but as 
original entity in Access 
System 



r 



670 



de-enact proxy 



if 



672 



replace Uid in Uidcookie 
with Uid from 
originalUidcookie 



r 



674 



FIG. 15 



Page i 2 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etai. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



create and store template 



r 



700 



create workflow object 



r 



702 



define steps of workflow 
based on template 



r 



704 



store workflow 



r 



706 



use workflow to perform 
tasks 



708 



FIG. 16 



add each workflow type 



r 



730 



for each workflow type, 
add actions 



732 



for each action, add 
parameters 



r 



734 



receive request to create f 
a workflow 



750 



754 



no 




user allowed? 



yes 



identify allowed 
workflows, types of 
objects, tasks, target 
domains 



f 



756 



receive identification of 
workflow 



r 



758 



receive selection of type 
of object 



760 



receive domain 



762 




FIG. 18 



FIG. 17 



Page 13 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



determine possible f 
actions from template 



780 



add possible actions to 
GUI 



Ir 



782 



receive selection of 
action 



if 



784 



determine types of 
attributes from template 



r 



786 



add attributes and types 
of relevant data to GUI 



r 



788 



receive selection of 
attributes and types 



r 



790 



select participants 



r 



792 



specify pre and post 
notifications 



r 



794 



796 



another step? 



yes 



determine possible entry 
conditions from template 



V 



798 



add entry conditions to 
GUI 



r 



800 



receive selection of entry 
conditions 



f 



802 



determine if previous 
step has subflow 



r 



804 



add indication of subflow f 
to GUI 



806 



receive indication of 
whether to wait for 
subflow 



r 



808 



FIG. 19 



Page 14 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



user request an 
action 



r 



840 



842 




identify and f 
report workflows 



844 



receive selection 



If 



846 



get first step 



if 



848 



850 




access event f 
catalog 



852 



pre-notify 



if 



854 



perform step 



If 



858 



860- 



supplied \ no 
variable? 



yes | f 



862 



subflow 



FIG. 20 



entity requests 
workflow 



r 



884 



access step 



If 



886 



access event 
catalog 



r 



864 



post notify 



if 



866 



get next step 



868 



access event 
catalog 



870 



pre-notify 



872 




878 



yes 



Page 15 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



receive indication of 
supplied attribute 



V 



900 



902 



workflow exist? 



no 



yes 




done 


r 904 \ 








perform workflow 






L ^906 






write data to main flow 



store data at target 



r 



910 



create first workflow for f 
first application 



940 



create second workflow f 
for second application 



942 



add entry to event f 
catalog 



944 



create client program to f 
invoke second workflow 



946 



create configuration file f 
for client program 



948 



FIG. 22 



FIG. 21 



Page 16 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, et al. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



978 




invoke client 
program 



980 



pass parameters 
to client program 



982 



wait for response 
from client program 



984 




async 
^992 



workflow provides 
message to user 
and waits for client 
to return 



990 



step failed 



L 



988 



step did not 
fail 



async response 
from client program 



994 



client program 
invoked 



receive parameters 



read config file 



determine 
workflow(s) 



compose request 
in XML doc 



connect to app 
using SOAP 



send XML input 
doc to request app 
to perform 
workflow 



receive indication 
of success/fail 



return success, fail 
or async 



wait for output 



process XML 
output 



call back, if async 



-1010 



-1012 



-1014 



-1016 



-1018 



-1020 



-1022 



-1024 



-1026 



-1028 



-1030 



-1032 



FIG. 23 



FIG. 24 



Page 17 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



receive request to view groups 
that user is a member of 




r 


G s = All groups that user is a 
static member 




r 


G d = All groups that user is a 
dynamic member 




r 






r 


G, = 


G s + d 



r 



1100 



r 



1102 



1104 



r 



1106 



r 



1108 



FIG. 25 



for each g, in G s+d 

G t = G t U Find_Containing_Groups( g, ) 



V 



1110 



L 



1112 



function Find_Containing_Groups ( g. ) 



1. 

2. 



G = All g such that ^ is a static member of g 
for each gj in G 

i. mark g. as the containing group of g. 

ii. G = G U Find_Containing_Groups(gj) 
return G 



report G t 



V 



1114 



Page 18 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



receive request to view groups that user is a member of 



I 



find the set of groups G in which u is a static member 



I 



find the set of groups G d in which u is a dynamic member 



I 



initialize i, the ith level of nesting, to 0 



-1140 



-1142 



-1144 



-1146 



I 



G =G +G H 

ni s d 



-1148 



I 



while G ni not equal to zero 

G ni+1 = All g such that there exists g ] in G ni where g j is a 
static member of g 

i= i + 1 



I 



V\p 2 



for each G ni in G n 

a. G = G +1 

c ni 

b. G = G . 

m ni 



c. for each g. in G c 

d. for each g k in G m 

e if g k is a static member of ^ 

f. mark g. as a containing group of g k 



I 



for each G ni in G n 
G t =G t UG ni 



I 



-1154 



report G t 



-1156 



FIG. 26 



Page 19 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 27 



receive request to view 
members of group 



1200 



function GetMembersOfGroup(U t , g) 

1. U t =U t + U s (g) 

2. U t =U t+ U d (g) 

3. for each g t in G s ( g ) 

GetMembersOfGroup(U t , g^ 



f 



1202 



report U t 



V 



1204 



FIG. 28 



receive request to view 
members of group 



1220 



function GetMembersOfGroup( U t , R , g ) 

a. U t = U t + U s (g) 

b. R = R + g r 

c. for each g, in G s (g) 

i. GetMembersOfGroup(U t , R , gi) 



r 



1222 



for each r in R 



i. 



match = false, j = 0 

while j < sizeof( R n ) and match = = false 



1 - ifr i-sb=^-sb a [l d H-s =_ r j- s 
a. 

b. 



R nj-f ~ R nj-f ° r R i-f 

match = true 



iii. if match = = false 
1. R = R + r 

n n i 



f 



1224 



for each r„ ; in R„ 



r 



1226 



report U t 



-1228 



Page 20 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



access group 
profile page 



1250 



FIG. 29 



select to 
subscribe 



r 



1252 



1254 




yes 



no 



1258 




256 



add entity to 
group 



yes 



no 



1270 




yes 



no 12 72 



1 



group is closed 
subscription 
fails 



access LDAP f 
rule 



1260 



1 



1274 



initiate 
workflow 



apply LDAP 
rule 



r 



1262 



1276 



yes 




•1264 



add entity to f 
group 



1278 




no 



subscription 
fails 



f 



1268 



yes 



add entity to 
group 



f 



1266 



Page 21 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



access group 
profile page 



r 



1300 



select to 
unsubscribe 



r 



1302 




1304 



yes 



no 



•1308 




yes 



no 



1 



1310 



group is 
closed, do not 
remove entity 



1 



1306 



remove entity 
from group 



L 



1312 



initiate 
workflow 



yes 




1314 



remove entity 
from group 



r 



1316 



no 



do not remove 
entity 



r 



1318 



FIG. 31 



request expansion 




r 


select group(s) 




r 


selected group(s) 
expanded 




r 


accesses to groups 
access the expanded 
version 







•1350 



•1352 



•1354 



•1356 



automatically f 
repeat 



1358 



FIG. 30 



Page 22 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



create group 



r 



1398 



* , r 1400 

receive request to modify ) 



existing group 



provide list of auxiliary 
classes 



f 



receive selection of 
auxiliary classes to add/ 
remove 



f 



1402 



1404 



remove auxiliary classes 
and attributes 



1406 



add/store auxiliary 
classes and attributes 



r 



1408 



FIG. 32 



> * 




choose aux class for 
adding 






add auxiliary class to 
object 


> 


f 




add all new superior 
auxilary classes 






add new attributes from 
new class 


I ^1468 
y es --^rnore aux\^ r 



-1460 



-1462 



-1464 



r 



1466 



select an aux class for 
removal 



•1430 



L 



1432 



determine attributes in 
aux class 



1434 



remove attributes of aux 
class from group object 



1436 



remove aux class from 
group object 



1438 



remove superior classes 
from group object 



-1440 




more aux 
classes? 



yes 



no 



^done^ 

FIG. 33 



FIG. 34 



classes? 




Page 23 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



1600 



Identity Server 
Receives Request 



1602 




1604 



No 



Identity Server 
Performs Pre-Processing 



Identity Server 
Translates Request 



I 



1606 



Identity Server 
Performs Request 



1608 



Identity Server 
Prepares Output XML 




1610 



Yes 



No 1614 



Identity Server 
Performs Post-Processing 



1616 




T 



1618 



Identity Server 
Prepares Server-Side 
Response 



1620 



Identity Server 
Prepares Client-Side 
Response 



Identity Server 
Forwards Response to Web 
Server 



1622 



Web Server 
Forwards Response to Client 



Done J 

FIG. 35 



1624 



Page 24 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Arty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Identity Server 
Retrieves Pointer to Pre-Processing Application 



Identity Server 
Performs Pre-Processing Application 



1640 



1642 



FIG. 36 



1660- 



Program 
Service 



Programs 



1662 



1670' 




XML Templates ~ 1 672 



XML Schemas — 1 674 



XSL Style Sheets —1676 



FIG. 37 



Page 25 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Identity Server 
Identifies Program(s) 



I 



Identity Server 
Retrieves XML 
Template(s) 



I 



Identity Server 
Retrieves XSL 
Stylesheet(s) 



FIG. 38 



1700 



1702 



Identity Server 
Prepares XML Data Structure 



1730 



1706 



I 



Identity Server 
Transforms XML Data Structure 
Into Output XML 



1732 



FIG. 39 



Identity Server 
Retrieves Pointer to Post-Processing 
Application 



1750 



Identity Server 
Performs Post-Processing Application 



1752 



FIG. 40 



Page 26 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



1780 




Identity Server 
Prepares Response With 
Output XML and No XSL 
Stylesheet references 



L 



1784 



Identity Server 
Prepares Response With 
Output XML and XSL 
Stylesheet references 



I 



( Done ^ 

FIG. 41 



FIG. 42 



L 



1800 



Identity Server 
Combines Output XML 
and XSL Stylesheets 



I 



1802 



Identity Server 
Formats HTML Document 



I 



1820 



Identity Server 
Selects Navigation Bar XML Template 
Based on User Type 



I 



1 



1822 



Identity Server 
Selects Navigation Bar XML Template 
Portions 

Based on Explicit Program 



FIG. 43 



FIG. 44 



1826 



Thread Local 
Storage 



Cache Pointer 



1828 



Thread of Execution 
1827 



1829 




Page 27 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Web Server 
Receives Requet 



I 



Web Server Assigns 
Request to IS Thread 



1830 



1832 



Request Calls for 
Data Store Access 



1833 



1834 








No 






r 


1838 


Retreive Entry 
Through Directory 
Server 




1842 





1840 




r . - / 


Retrieve Entry 


from Cache 



1846 



Remove Old Entry 
in Cache 




1845 



Create and Write 
to Cache Entry 



FIG. 45 



1848 



Write Entry 
Through Data 
Store 



Page 28 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-0 1 037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Function Module 



Function Module 



Function Module 
1 



Identity Server 
Management 
Registry 




I 




Management 
Request Handler 




1912 



1910 



Identity Server 
Management 
Service 



Identity Server 



1900 



Function Module 



Function Module 



Function Module 



Identity Server 
Management 
Registry 




I 



1922 




Management 



Request Handler 




1920 



Identity Server 
Management 
Service 



Identity Server 



1902 



FIG. 46 



Page 29 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 47 



Function Module Issues Remote Request 
to Management Sen/ice 



-1940 



I 



Local Management Service 
Processes Remote Request 



-1942 



I 



Remote Identity Server 
Processes Remote Request 



-1944 



FIG. 49 



Remote Management Request Handler 
Receives Remote Request 



1990 



I 



Remote Management Request Handler 
Identifies Function Module for Remote Request 



1992 



I 



Remote Management Request Handler 
Executes Function Module 



1994 



Page 30 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 




I 



1964 



Local Management Service 
Executes Function Module 



1966 



Local Management Service 
Creates Message Channel(s) 
for Remote Request Server(s) 



1968 



Local Management Service Issues 
Remote Request to Remote Identity Server(s) 



FIG. 48 



Page 31 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 50 



Local Identity Server 
Blocks New Requests 



2010 



Yes 




Local Identity Server 
Sends Non-Blocking Flush Request to 
Remote Identity Server 



2013 



I 



Local Identity Server 
Flushes Cache 



2014 



I 



Local Identity Server 
Unblocks New Requests 



2016 



FIG. 51 



Yes 



Remote Identity Server 
Blocks New Requests 



2040 




Remote Identity Server 
Flushes Cache 



I 



Remote Identity Server 
Unblocks New Requests 



2044 



2046 



Page 32 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Detany,etal. Docket: OBLX-01037US0 

Appl- No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 52 



2084 



Certificate 
Authority(ies) 



Identity Server 



Certificate 
Registration 
Module 



2072 



40 



2076 



Certificate 
Processing 
Server(s) 



I 



Signing Device(s) 



2078 




36 



Page 33 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No. : EL 897 525 677 US 



Identity Server 
Receives Certificate Request 

I 

Certificate Registration Module 
Responds to Certificate Request 



FIG. 53 



Certificate Registration Module 
Retrieves Certificate Workflow 



2190 



I 



Certificate Registration Module 
Obtains Renewal Certificate 



2192 



FIG. 56 



Page 34 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Certificate Registration Module 
Retrieves Certificate Enrollment 
Workflow 



Certificate Registration Module 
Retrieves Required Information 



Certificate Registration Module 
Retrieves Approval Response 




2120 



2122 



2124 



No 



Certificate Registration Module 
Obtains Certificate 



2130 



Certificate Registration Module 
Issues Error/Rejection Report 



^ Done J 



FIG. 54 



Page 35 of 52 

Title: Runtime Modification of Entries m an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



2152 ~l 



Certificate Registration Module 
Authenticates Requesting User 



Certificate Registration Module 
Forwards Certificate Enrollment 
Request to Certificate Processing 
Server 



2156 



Certificate Registration Module 
Stores Certificate in Data Store 



2158 



Certificate Registration Module 
Notifies User of Certificate 



2150 



2154 



2160 



Certificate Processing Server 
Obtains Digital Signature from 
Signing Device for Certificate 
Request 



I 



2162 



Certificate Processing Server 
Forwards Certificate Signing 
Request to Certificate Authority 



I 



2164 



Certificate Authority 
Creates a Certificate 



2166 



Certificate Authority 
Forwards Certificate to Certificate 
Processing Server 



I 



2170 



Certificate Processing Server 
Forwards Certificate to Certificate 
Registration Module 



FIG. 55 



Page 36 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, et al. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



2212 



Certificate Registration Module 
Authenticates Requesting User 



2210 



2214 



Certificate Registration Module 
Forwards Renewal Request to 
Certificate Processing Server 



2217 



Certificate Registration Module 
Updates Certificate in Data Store 



2218 



Certificate Registration Module 
Notifies User of Certificate 
Renewal 



2220 



Certificate Processing Server 
Obtains Digital Signature from 
Signing Device for Certificate 
Request 



I 



2222 



Certificate Processing Server 
Forwards Certificate Signing 
Request to Certificate Authority 



I 



2224 



Certificate Authority 
Forwards Acknowledgement to 
Certificate Processing Server 



I 



2226 



Certificate Processing Server 
Forwards Acknowledgement to 
Certificate Registration Module 



FIG. 57 



Page 37 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



2250 



Certificate Registration Module 
Retrieves Certificate Workflow 



I 



2252 



FIG. 58 



Certificate Registration Module 
Obtains Certificate Revocation 



2270 



"2272 "| 



Certificate Registration Module 
Authenticates Requesting User 



I 



2274 



Certificate Registration Module 
Forwards Revocation Request to 
Certificate Processing Server 



FIG. 59 



2276 



Certificate Processing Server 
Obtains Digital Signature from 
Signing Device for Certificate 
Request 



I 



2278 



Certificate Processing Server 
Forwards Certificate Signing 
Request to Certificate Authority 



I 



2280 



Certificate Authority 
Forwards Acknowledgement to 
Certificate Processing Server 



I 



2282 



Certificate Processing Server 
Forwards Acknowledgement to 
Certificate Registration Module 



Page 38 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Identity Server 
Retrieves Real Time 
Certificate Status 



I 



Identity Server 
Stores Certificate 
Status 



I 



Identity Server 
Stores Validation 
Information 



3400 



3402 



3404 



FIG. 59A 



Page 39 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Identity Server 
Receives Certificate 
Export Request 



3420 




3434 



Identity Server 
Exports Certificate 



FIG. 59B 



Page 40 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl.No.: Unknown Atty: BurtMageti 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Identity Server 
Receives Certificate 
Display Request 



3450 




Identity Server 
Retrieves Real Time 
Status 



Identity Server 
Retrieves Stored 
Status 



Identity Server 
Identifies Certificate 
Fields to Display 



I 



Identity Server 
Identifies Certificate 
Fields to Display 



3462 



Identity Server 
Displays Certificate 
Without Status 



3466 



Identity Server 
Displays Certificate 
and Status 



3464 



FIG. 59C 



Page 41 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



2400— 



receive request to create 
policy domain 



2402- 



store name and description 
of policy domain 



2404— 



add URL prefixes 
(with optional regions) 



2405—^- specify one or more host IDs 



2406— 



add or select authentication 
rule for policy domain 



add one or more 
authorization rules 



-2408 



specify order of authorization 
rules 



-2410 



configure policy domain 
audit rule 



-2412 



add policies 



-2414 



store and update cache(s) 
(optional) 



-2416 



FIG. 60 



Page 42 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01 037US0 

Appl.No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



add timing conditions 



-2432 



add header variables for 
authorization success and 
failure 



-2434 



2450—— add variable name 



add redirect URLs for 
authorization success and 
failure 



2452- 



-2436 



enter text string in return field 



add users, roles, LDAP rules, 
and IP addresses to allow 
access 



-2438 



2454- 



Y 



enter LDAP attributes 



add users, roles, LDAP rules, 
and IP addresses to deny 
access 



2456 



-2440 



set priority between allow 
and deny 



-2442 




define POST data used for 
authorization (optional) 



-2444 



I done ] 



FIG. 62 



set rule priority relative to 
other rules 



-2446 



FIG. 61 



Page 43 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, et al. Docket. OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



select resource type 



-2518 



select authentication scheme 



-2470 



select operation 



-2520 



add header variables for 
authentication success and 
failure 



-2472 



enter path 



-2522 



add redirect URLs for 
authentication success and 
failure 



-2474 



enter order dependent 
query string 



-2524 



FIG. 63 



enter order independent 
query string variables and 
values 



-2526 



select or create 
authentication rule 



-2528 



create one or more 
authorization rules 



-2530 



configure audit rule 



-2532 



add POST data 



-2534 



FIG. 64 



Page 44 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



User's browser 
requests resource 



Request intercepted 
by Web Gate 



-2550 



-2552 



FIG. 65 



2553 




-Y — I 



Log successful f 
authentication 



2574 



2560 



Attempt to 
authenticate user 



,2562 



perform 
authentication 
success actions 



Attempt to authorize 
user 



2590 




f 



2576 




N 



Web Gate passes 

authentication 
cookie to browser 



r 



2580 



N r 2564 



Log unsuccessful 
authentication 



Log unsuccessful 
authorization 



Log successful 
authorization 



f 



2596 



perform 
authorization 
failure actions and 
deny user access 
to resource 



f 



2598 



1 



2566 



perform 
authentication 
failure actions 
and deny user 
access to 
resource 



1 



2594 



perform authorization 
success actions 



Grant access to 
resource 



2595 



Page 45 of 52 

Title. Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



-2630 



Resource 
found in Web Gate 
^resource cache?^ 



-N- 



L 



2633 



Web Gate passes 

resource URL 
to Access Server 




L 



2636 



Access Server 
attempts to map resource 
to a policy domain 



2638 



Access Server loads 
audit rule 



r 



2646 



Access Server passes 
authentication scheme ID, f 
audit mask, retainer, and 
POST data to Web Gate 



2648 




Access Server loads 
authentication rule 



Web Gate caches 
authentication scheme ID, 
audit mask, retainer, and 
POST data in resource 
cache 



r 



2650 



FIG. 66 



Resource protected 



V 



2632 



Page 46 of 52 

Title: Runtime Modification of Entries m an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Access Server 

receives 
resource URL 



•2700 



L 



FIG. 67 



Access Server 
compares resource 
URL prefix with URL 
prefixes in URL prefix 
cache 




Crop right-most term 
from 

resource URL prefix 




Map resource to policy 
domain of URL prefix 



2706 



No policy domain 
associated with 
requested resource 



■2712 



Page 47 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: Burt Magen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 68 



Access Server loads 
default authentication rule 
and all policies for 
mapped policy domain 
from Directory Server into 
policy domain cache 



2730 



1 


r 


Access Server selects 
rule in array of rules in 
policy domain cache 



■2731 



1 


1 Y 

r 


Access Server caches 
specific authentication 
rule in authentication rule 
cache 


2736 


r 


return second level rule 




J 




Access Server selects 
next rule identified 
in array 




2737 



w done 



Page 48 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



access policy info 
from cache 



2760 




FIG. 69 



Page 49 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



read authentication 
challenge scheme 
from resource cache 



2920 



FIG. 70 



Basic 





r 2928 






Basic 


Authentication 



2922 




■N 



2924 



Load 
authentication 
challenge scheme 
from Directory 
Server 



I 

None 



Form 



1 



2930 



Certificate-i 
2932 



Form 
Authentication 



1 



Certificate 
Authentication 



1 



2934 



No 

Authentication 



3150 



Authentication level 



User ID 



FIG. 71 



User's IP address 



Session start time 



Idle start time 



Secured hash 



3152 
3154 
3156 
3158 
3160 
3162 



Page 50 of 52 

T Me : Runtime Modification of Entries in an Identity System 

Applicants: Delany, etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



FIG. 72 



'Authorization ^^31 94 
rules found in authorization 
rule cache? 



■3196 



-N-i 



Access Server reads 
authorization rule from 
authorization rule cache 



3198 



Load authorization rules with 
authorization actions from 
Directory Server 



X 



3200 



Access Server applies 
authorization rule to 
authorization information 



3202 Y 




3204 




Access Server retrieves all 
user profile attributes for all 
actions 



L 



communicate to Web Gate 
successful authorization, 
actions, and attributes 



3211 



Access Server retrieves all 
user profile attributes for all 
actions 



3212 



communicate to Web Gate 
unsuccessful authorization, 
actions, and attributes 



Y 



3208 



Page 51 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany,etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



Access Server loads default 
authorization rule for policy domain 
from Directory Server into 
authorization rule cache 



-3280 



Access Server selects 
first rule 



-3282 




Y ^3292 
± £ 

Access Server caches specific 
authorization rule in 
authorization rule cache 




FIG. 73 



Page 52 of 52 

Title: Runtime Modification of Entries in an Identity System 

Applicants: Delany.etal. Docket: OBLX-01037US0 

Appl. No.: Unknown Atty: BurtMagen 

Filing Date: November 30, 2001 Phone: (415)369-9660 

Express Mail No.: EL 897 525 677 US 



3320 




FIG. 74 



